This is not a new occurrence, it may just now happening to you.
It is happening world wide and not just to phpBB, and it's not version specific.
Hackers/spammers are trying to 'brute force' passwords. The protection built into phpBB is only allowing x number of attempts then the CAPTCHA is presented. ACP->main page->user registration settings
Maximum number of login attempts:
After this number of failed logins the user needs to additionally solve the anti-spambot task.
A strong password will also insure the 'brute force' will not succeed.